Basic 1 to 17

This article is for...wait....you got it....BASIC 1 TO 17!
This is a :"how-to-" and may contain some spoliers.

Hey fellow hackers, this is my article on basic web hacking 1 to 17. Yes you heard right, all that are out right now. I recommend before starting you learn some basic html.
So. here it is:

_Basic 1_
Some of you who are very stumped or are new to hacking may just think, hm what shall I do, here's what you do! Download FireFox (http://getfirefox.com) and press Ctrl+U, or if you can't get a hold of fire fox just find a way to view the source.
Once you are in the source you need to know what a html comment looks like, for those who don't know, it's <!-- comment here -->. So, in the source do a search (Ctrl+F) and find any comments. Once you have found the right comment, you should know what it is, work it out and then type the answer in the password box and hit submit, then basic 1 is out the way, on to basic 2.

_Basic 2_
Aha, Drake has learnt about the <iframe> tag! If by now you still don't know any html, an iframe allows you to embed a webpage inside a webpage. So, again we need to view the source, and then do another search, this time search "<iframe" without the quotes of course, this will show you where the iframe is reading from. When you have found it you have put the exact "src" or it in the box. Wooo basic 1 and 2 are over! Basic 3 here we come!

_Basic 3_
Hm, you may be thinking "What's a user agent?", well a user agent is your browser and platform/OS, and for this challenge you need to change your user agent, if you still haven't got firefox and you're in IE, you're a bit stuck, you see, in firefox you can get an extension which lets you change your user agent (http://chrispederick.com/work/useragentswitcher/) but in IE, you have to spend a long time in regedit trying to change it. Once you have firefox installed and the user agent switcher you just have to edit the user agent to the right string (bwh3_user_agent). Woooo more points! Basic 4 now...

_Basic 4_
This one is pretty straight forward, as you see you get this: " ERROR: htpasswd.php file not found in basic4/" which tells up the file "htpasswd.php" is not in the /basic4/ directory, so all you have to do is move up a dir!

_Basic 5_
This one is tricky, all you have to know is that an asterisks is a wild card - it can mean anything. So for username and password it would be *:* and an e-mail would be *@*.*, so from that you should be able to figure it out.

_Basic 6_
Hurray! Basic 6! Unix! For this you'll need to know some basic unix commands. The first is chmod, this command allows you to change permissions of a file. On this challenge you need to chmod the logs/logs.txt then remove it. So what we have to do is chmod it to all and execute (chmod a+x). After you've entered the chmod command into the first box we have to remove it, this command is "rm". After that, you have to remove the track_logs.php file to stop you getting tracked.

_Basic 7_
Right, for those who just went ahead with sql injection as soon as they saw the word "sql", you've wrong, but, for those who read the description through well, you may notice it says "This time Mr. Deitry decided to make a cookie login script and he said he decrypted it from ASCII encryption"
For some of you, you may be thinking "What's ASCII encryption?!" Well, I'll give you a hint, 011000100110100101101110011000010111001001111001. Now, time to check our cookies to see what we need to decrypt! If you have alerted the cookies (javascript:alert(docu<i></i>ment.cookie), you should see that the username is sam and the pass is jillisdead, so what are you waiting for, encrypt it already! For this we will need to do a javascript injection. Enter in your address bar:
javascript:void(docu<i></i>ment.cookie="username=binary encrypted text");
Replacing the "binary encrypted text" with, yep you guessed it, the binary encrypted text! Then all that's left is to refresh. And now time for a nice little sql injection.

_Basic 8_
Right, basic 8, this time we need a lengthy sql injection, not just a ' or 1=1-- injection. In the password box type any random word and hit enter, you should get an sql error. Now if you view the source and look for comments again you can see <!--?sql_query-->Wrong SQL query, for those who know some basics of web coding, you can put things on the end of file names with a question mark, for example: something.php?variable=something. This would work using a $_GET of the name "variable".
So, we know that this script uses $_GET['sql_query']; Now if you look at the name of the variable "sql_query" you should be able to work out what it may do. So try some sql queries using the sql error we got earlier.

_Basic 9_
Alrighty, just over half way to finishing the basics! In basic 9's description, you should notice that the file search utility searches for files in the directory /files/. So, if we take a look at http://www.hellboundhackers.org/challenges/basic9/files/ you can see there's a login.php file! By now, you should know that the source of a login usually contains the user and password unless it does a database query, now, if we go back to the file searcher, and put in "login.php" we can see that it's a real login. Obviously you can't view the raw php code of web pages because it gets parsered, but, there's an exploit called the Poison NULL Byte, for those who haven't heard of it it's when you add %00 on to the end of things, such as page.php?file=config.php%00, this could show you the source of the config.php file. In this challenge we need the source of login.php, so try searching login.php with a poison null byte on the end.

_Basic 10_
Ok then! You may or may not know what a proxy is, but you should know what an IP is, if not: an IP address is basically the address of your computer. And, what a proxy does is, it kind of changes your IP, for this challenge you need to get a proxy that's in the right range to get into /admin/. Those who are on ntl internet may have problems with this challenge as ntl gives you what's called a "shared IP", it's basically a proxy but it means you can't change it :(

_Basic 11_
Hurrah! User agents again, this time we need to change the user agent and the OS, for those who done basic 3 with the user agent switcher plugin may notice that on the user agents that are already there it says things like: Internet Explorer 6 (Windows XP), this tells us that they are running Windows XP and using IE6, so it shows that user agent strings are like this: User agent (Operating system)
Now what's left is to change your user agent and refresh.

_Basic 12_
Okie doodle doo, you should notice when you click Basic 12 on the basic.php page it goes to: basic12/index.php?page=challenges.php
This is called file inclusion, and this can be exploited. You see, we need to get the user:pass combination from the /protected/ folder, this folder is passworded with .htpasswd/.htaccess, so if we try and include the .htaccess file it may give us the password file :) Now once we have the hash, we need to crack it, it's encrypted with DES, this can be easilly cracked with John The Ripper (http://openwall.com/john/). Alot of people struggled trying to crack this, as if you try and brute force it, it may take weeks, you need a wordlist, google for one. Once cracked, go to the protected folder and enter in the username and password to get the points.

_Basic 13_
Right, basic13, you are told to log in as George, but what's this?! There is no George!!! Oh my god!!!!!!!! Well, being the elite hacker that you are you can manipulate the form :D So, save the page to your hard drive and modify the values in the form, don't forget to make it post to the hbh site.

_Basic 14_
Hm, again with the source...in this one, when you find the comment, you are told to go to a certain file to get the "new password". Once you've gotten it go and get your points.

_Basic 15_
Soooooo, we get told a file that hides directories, what could it be? It's something.txt! What, you thought I'd give you the answer? *tsk tsk* Go and google. Once you have the _real_ file then you can get your points wooooooooo.

_Basic 16_
Hooray! Only one more to go! On this one, you are told it's vulnerable to SQL Injection, so what are you waiting for, inject already!!! Right, now you're done.

_Basic 17_
Yay, the last one! For this one, you'll notice your PC may lag when you first attempt it, that's because it's a java applet and a lot of PC's hate them, especially mine, it freezes up everytime a java applet runs, but anyway, if you view the source you can see that there's a file, basic17.class, so let's download it.
Once you have that downloaded, you'll need to open a certain program to read it, google for a decompiler for this file type, once you have a decompiler, open this file with it and you should be able to see the java source code, if you look you should see the password, so go back to /challenges/basic17 and enter the password, a new window will open and then you'll receive your points! Bang, another mission down :p

blue_sundayon June 20 2007 - 13:04:29thanks, it help so much ... please dont delet this articel. from this spoiler we can know how to do in real life

Kuzminon December 17 2007 - 18:09:34This is just so awesome, surely, it is a lot of spoilers in it, but you still learn something from them.

-skitzo-on January 25 2008 - 22:37:24Ya it is a nice article, but I recommend next time that you include fewer spoilers. Hacking is about learning how to do these things yourself, not read how someone else did it. Though I did like the article it's very helpful. Try to not use as many spoilers, if any at all, next time. Thanks again. =)

waxoron August 09 2008 - 13:20:16I haven't yet completed all basic challenges but as i got stuck on challenge 6(even knowing basic linux commands). So i started looking for help and found this article.
After finishing the challenge I still missed the basic of this challenge , it does not say in the tutorial how you got the name of the log files. Maybe it could be a nice thing to add.

AMZ19on February 03 2009 - 10:20:51Great work System! to answer your question, waxor, I'll answer a bigger one: In all of these web hacks I've noticed that it pays to over analyze and scrutinize everywhere possible - poke around alot. More info means more power. This is also true in real life circumstances. In basic 6 the file "logs.txt" is mentioned as well as another log file. What do you do when you have a group of files of a similar nature? You make a directory. I if you type http://www.hellboundhackers.org/challenges/basic6/logs into your url bar you'll find all these files. Of course this discovery was made through a bit of trial and error, but I'm sure we're all used to that.

t0xikc0mputeron January 17 2011 - 23:06:11@skitzo yes I agree, but the point of this website is to learn how to hack by association and learning the methods. In the real world noone will give you answers, but here you learn from answers.

kingcocomangoon February 03 2011 - 01:10:10thanks amz19 for the explanation on how to get the directory

kingcocomangoon February 03 2011 - 06:01:52also may i ask how to make an offline version post to a certain website
?

QuicK2800on April 15 2013 - 23:18:12This is awesome!
However; on Web Basic 9, there has been a 2nd part added. I can't figure it out lol

Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.

Hellbound Hackers is the collective work of the staff and the community and is therefore licensed under the CC BY-NC-SA license.